Tom Lane wrote:
> "Florian G. Pflug" <fgp(at)phlo(dot)org> writes:
>
>> I believe it would be sufficient to add an additional column to pg_hba.conf
>> called "On Failure". The value could either be "Continue" or "Abort", with
>> the default being "Abort" to match the current behaviour.
>>
>
> Then you get into the problem that it has to work for *all* auth
> methods, which in general it will not, because the client probably isn't
> prepared for multiple auth challenges. Jeroen's kluge avoids that by
> only working for an auth method that doesn't involve a client challenge.
>
Yes, if we did that we'd probably have to fix libpq to allow for it (and
any native protocol implementations such as JDBC). Can the wire protocol
handle it?
> The example you cited is easily implemented without any new features,
> anyway, using "samegroup":
>
> local all samegroup ident sameuser
> local all all md5
>
> where users are made members of the group/role named after the database
> they are allowed to log into without a password.
>
>
>
I was just composing almost this identical example ;-)
'samegroup' is a much overlooked feature, I believe, and should be
extremely useful for hosting providers especially.
cheers
andrew